Skip to main content
Splunk Lantern

Rarely used firewall rules

A fundamental task of firewall administration is the configuration and management of firewall rules, which ultimately results in allowed or blocked traffic flow. You might need to see your least often used firewall rules when doing the following:

Prerequisites 

In order to execute this procedure in your environment, the following data, services, or apps are required:

Example

You want to understand which firewall rules in your organization are utilized or hit most often and which are rarely used so that you can tune them better. You also want to identify these rarely used rules as a valuable resource for understanding network traffic patterns and identifying outlier traffic.

To optimize the search shown below, you should specify an index and a time range. In addition, this sample search uses Palo Alto Networks data. You can replace this source with any other firewall data used in your organization. 

  1. Run the following search: 
tag=network tag=communicate rule=*
| rare 5 rule useother=true

Search explanation

The table provides an explanation of what each part of this search achieves. You can adjust this query based on the specifics of your environment.

Splunk Search Explanation

tag=network tag=communicate 

Search for logs with the network or communicate tags.

rule=*

Search all rules.

| rare 5 rule useother=true

Display the five least common rules with all remaining rules grouped into a single series.

You can change useother=true to useother=false if you aren't interested in the other rules. 

Result

The search results show the rule name and the count of which rules are infrequently used. The results may be used to determine if a rule should be retired. 

rule count percent

Block remote SMB

4

0.007369

Allow IGMP traffic

6

0.011053

Allow ping, pong, and tracert

7

0.012895

Block all other IP traffic and log

8

0.014737

54

10

0.018422

OTHER

54249

99.935524

  • Was this article helpful?